Plugin Examples

Basic Example

This plugin illustrates the basic concepts of Tenable Nessus Network Monitor plugin writing:

id=79873

nid=11414

hs_sport=143

name=IMAP Banner

description=An IMAP server is running on this port. Its banner is :\n %L

risk=NONE

match=OK

match=IMAP

match=server ready

regex=^.*OK.*IMAP.*server ready

This example uses the following fields:

  • id - A unique number assigned to this plugin.
  • nid - The Tenable Nessus ID of the corresponding Tenable Nessus NASL script.
  • hs_sport - The source port to key on if High Performance mode is enabled.
  • name - The name of the plugin.
  • description - A description of the problem or service.
  • match - The set of match patterns that must be found in the payload of the packet before the regular expression can be evaluated.
  • regex - The regular expression to apply to the packet payload.

Tip: The description contains the %L macro. If this plugin evaluates successfully, then the string pattern in the payload that matched the regular expression is stored in %L and prints out at report time.

Complex Example

id=79004

nid=10382

cve=CVE-2000-0318

bid=1144

hs_sport=143

name=Atrium Mercur Mailserver

description=The remote imap server is Mercur Mailserver 3.20. There is a flaw in this server (present up to version 3.20.02) which allow any authenticated user to read any file on the system. This includes other user mailboxes, or any system file. Warning : this flaw has not been actually checked but was deduced from the server banner

solution=There was no solution ready when this vulnerability was written; Please contact the vendor for updates that address this vulnerability.

risk=HIGH

match=>* OK

match=MERCUR

match=IMAP4-Server

regex=^\* OK.*MERCUR IMAP4-Server.*v3\.20\..*$

Tip: The first match pattern makes use of the > symbol. The > symbol indicates that the subsequent string must be at the beginning of the packet payload. Use of the > symbol is encouraged where possible as it is an inexpensive operation.

Case-Insensitive Example

There is a tool called SmartDownLoader that uploads and downloads large files. Unfortunately, versions 0.1 through 1.3 use the capitalization SmartDownloader, versions 1.4 through 2.7 use smartdownloader and versions 2.8 through current use SMARTdownloader. Searching for the various combinations of this text with purely the regex command would cause us to use a statement that looks like this:

regex=[sS][mM][aA][rR][tT][dD]own[lL]oader

However, with the regexi command, the search string is much less complex and less prone to creating an error:

regexi=smartdownloader

By using regexi, we can more quickly match on all three versions as well as future permutations of the string smartdownloader. In a case such as this, regexi is the logical choice.

id=79910

dependency=1442

hs_sport=6789

name=SmartDownLoader Detection

description=The remote host is running SmartDownLoader, a tool for performing rudimentary uploads and downloads of large binary files.

solution=Ensure that this application is in keeping with Corporate policies and guidelines

risk=MEDIUM

family=PeerToPeer

match=ownloader

regexi=smartdownloader

Above is a complete example Tenable Nessus Network Monitor plugin using the regexi keyword. The use of the match keyword searching for the string ownloader is not a typo. By searching for network sessions that have this string in them first, Tenable Nessus Network Monitor can avoid invoking the expensive regexi search algorithm unless the ownloader pattern is present.